The business and culture of our digital lives, from the L.A. Times

FTC settles with Twitter on 'misleading' security practices

March 11, 2011 | 2:44
pm

The Federal Trade Commission has agreed on a settlement with Twitter resulting from the site's alleged "serious lapses" in data security that allowed hackers to take over Twitter twice in 2009, accessing users' private information and hijacking accounts to send out phony tweets.

According to an FTC statement, the settlement "resolved charges that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information."

Twitter was about 2 years old at the time of the incidents, a young site that often struggled under the weight of its fast-growing traffic and server demands.

Hackers were able to take over several dozen prominent Twitter accounts, including those of Barack Obama, Britney Spears and then-CNN anchor Rick Sanchez, for whom a phony tweet was put out declaring that, "i am high on crack right now might not be coming to work today."

The hackers also gained access to the accounts' e-mail addresses and other associated data.

At the time, Twitter called the episode a "very serious breach of security."

The FTC noted that, at the time of the attacks, Twitter's privacy policy said that the company was "very concerned about safeguarding the confidentiality of your personally identifiable information" and that Twitter employed "administrative, physical, and electronic measures designed to protect your information from unauthorized access."

That language has since been removed from Twitter's privacy policy (here's the original). The current version does not contain any assurances about the security of users' data.

As part of the settlement, Twitter is barred for 20 years from "misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information."

The settlement, which was unanimously approved by FTC officers, also requires Twitter to create a "comprehensive information security program," which will be reviewed by an independent auditor every other year for 10 years.

When asked for a comment on the settlement, a Twitter spokeswoman pointed to a company blog post from last year, which noted that "even before the agreement, we'd implemented many of the FTC's suggestions" and that "the agreement formalizes our commitment to those security practices."